Search form

You are here

ActivePerl 5.24.1 and 5.22.3

January 17, 2017 - 1:05pmjeffr

Steve Hay, a member of the Perl 5 core team, mentions in the community release announcement that “Perl 5.24.1 represents approximately 8 months of development since Perl 5.24.0 and contains approximately 8,100 lines of changes across 240 files from 18 authors.“ And with that, ActivePerl 5.24.1 becomes our recommended version suitable for production contexts.

However, there is one ongoing security issue that is important to understand.

5.24.1 and 5.22.3 were originally held up so that the Perl 5 Core team could deal with CVE-2016-1238. If you are not already aware, the problem relates to an unsafe module load path (“@INC”) which includes the current directory (“.”). When “perl” wants to load an optional module it will look in the current directory. Under some conditions this vulnerability can lead to arbitrary code execution, for instance when the directory is writable (i.e. /tmp).

After considerable debate and investigation into resolving this issue in a variety of ways, the Perl core team decided to get the other accumulated changes out for public consumption and continue to work on the CVE in the next release. In the 5.24.1 and 5.22.3 releases, a partial set of changes were made such that the core modules and tools no longer search for "." with optional modules. The rest of the changes needed to fully resolve the CVE were not included at this time as they risk breaking existing applications. A workaround exists as outlined in http://search.cpan.org/~shay/perl/pod/perldelta.pod. The next releases of 5.24.2 and 5.22.4 will contain a final resolution to this issue.